feat(profile): add some unix rules with local address.

2024-11-15 16:03:51 +01:00 · 2024-02-29 21:15:59 +00:00 · 2024-02-29 21:15:59 +00:00 · f76051f114
commit f76051f114
parent 956c282794
9 changed files with 14 additions and 0 deletions
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -14,6 +14,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

+  signal (receive) set=(cont, term) peer=@{systemd_user},
  signal (receive) set=term peer=ibus-daemon,

  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -20,6 +20,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>

+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
  unix (connect, receive, send) type=stream peer=(label=ibus-daemon),

  network inet stream,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -19,6 +19,7 @@ profile plymouthd @{exec_path} {
  network netlink raw,

  signal (send) peer=unconfined,
+  signal (send) set=(rtmin+23) peer=@{systemd},
  signal (send) set=(rtmin+23) peer=systemd-shutdown,

  ptrace (read) peer=plymouth,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -47,6 +47,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal (send) set=hup peer=xwayland,
  signal (send) set=term peer=gdm-*-session,

+  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
+
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=*Session
--- a/apparmor.d/groups/ssh/gcr-ssh-agent
+++ b/apparmor.d/groups/ssh/gcr-ssh-agent
@ -10,6 +10,8 @@ include <tunables/global>
 profile gcr-ssh-agent @{exec_path} {
  include <abstractions/base>

+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
  @{exec_path} mr,

  include if exists <local/gcr-ssh-agent>
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

+  signal (receive) set=(cont term) peer=@{systemd_user},
  signal (receive) set=term peer=cockpit-bridge,
  signal (receive) set=term peer=gnome-keyring-daemon,

--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -17,6 +17,8 @@ profile busctl @{exec_path} {

  ptrace (read),

+  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
+
  @{exec_path} mr,

  @{bin}/less  rPx -> child-pager,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -17,6 +17,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  # Needed?
  audit capability net_admin,

+  unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system,
+
  # dbus: own bus=system name=org.freedesktop.locale1

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -22,6 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,

  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
+  unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none),

  # dbus: own bus=system name=org.freedesktop.timesync1